BIG-IP AFM

BIG-IP ASM

BIG-IP PSM

About configuring the BIG-IP system to detect and prevent DoS and DDoS attacks

DoS and DDoS attack detection and prevention is enabled by the BIG-IP
Advanced Firewall Manager (AFM). DoS and DDoS detection
and prevention serves two functions.

To detect, and automatically mitigate, packets that present as DoS or DDoS attacks.

To determine unusual increases in packets of specific types that are known attack vectors. Possible
attack vectors are tracked over the past hour, and current possible attacks are compared to the
average of that hour.

You can configure a BIG-IP device to detect all system-supported DoS attacks at levels that you
specify.

Detecting and protecting against DoS and DDoS attacks

The BIG-IP system handles DoS and DDoS attacks with
preconfigured responses. With the DoS Protection Device Configuration, you set detection
thresholds and internal rate limits for a range of DoS and DDoS attack
vectors.

If you are using remote logging, from the Log Publisher list,
select a destination to which the BIG-IP system sends DoS and DDoS log entries.

In the Attack Type column, click the name of any attack type to
edit the settings.
The configuration page for the particular attack appears.

From the Detection Threshold PPS list, select
Specify or Infinite.

Use Specify to set a value, in packets per second, for the
attack detection threshold. If packets of this type cross the threshold, an attack is
logged and reported. The system continues to check every second, and marks the
threshold as an attack as long as the threshold is exceeded.

Use Infinite to set no value for the threshold. This
specifies that this type of attack is never logged or reported.

From the Detection Threshold Percent list, select
Specify or Infinite.

Use Specify to set the percentage increase value, that
specifies an attack is occurring. The system compares the current rate to an average
rate from the last hour. For example, if the average rate for the last hour is
1000 packets per second, and you set the percentage
increase threshold to 100, an attack is detected at 100 percent
above the average, or 2000 packets per second. When the
threshold is passed, an attack is logged and reported. The system then automatically
institutes a rate limit equal to the average for the last hour, and all packets above
that limit are dropped. The system continues to check every second until the incoming
packet rate drops below the percentage increase threshold. Rate limiting continues
until the rate drops below the specified limit again.

Use Infinite to set no value for the threshold. This
specifies that this type of attack is never logged or reported.

Use Specify to set a value, in packets per second, which
cannot be exceeded by packets of this type. All packets of this type over the
threshold are dropped. Rate limiting continues until the rate drops below the
specified limit again.

Use Infinite to set no value for the threshold. This
specifies that this type of attack is not rate-limited.